From 6dc167e43d6cb631a31a9b223a245177ff9ec2f0 Mon Sep 17 00:00:00 2001 From: Todd Gamblin Date: Mon, 28 Aug 2023 11:06:17 -0700 Subject: security: change `SECURITY.md` to recommend GitHub's private reporting (#39651) GitHub's beta private security issue reporting feature is enabled on the Spack repo now, so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`. - [x] Update `SECURITY.md` to direct people to the GitHub security tab. - [x] Update working in `SECURITY.md` to say "last two major releases" with a link to the releases page, instead of explicitly listing release names. This way we don't have to update it (which we keep forgetting to do). --- SECURITY.md | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 3a8381140c..c0cb40cbde 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,24 +2,26 @@ ## Supported Versions -We provide security updates for the following releases. +We provide security updates for `develop` and for the last two +stable (`0.x`) release series of Spack. Security updates will be +made available as patch (`0.x.1`, `0.x.2`, etc.) releases. + For more on Spack's release structure, see [`README.md`](https://github.com/spack/spack#releases). +## Reporting a Vulnerability -| Version | Supported | -| ------- | ------------------ | -| develop | :white_check_mark: | -| 0.19.x | :white_check_mark: | -| 0.18.x | :white_check_mark: | +You can report a vulnerability using GitHub's private reporting +feature: -## Reporting a Vulnerability +1. Go to [github.com/spack/spack/security](https://github.com/spack/spack/security). +2. Click "Report a vulnerability" in the upper right corner of that page. +3. Fill out the form and submit your draft security advisory. -To report a vulnerability or other security -issue, email maintainers@spack.io. +More details are available in +[GitHub's docs](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). -You can expect to hear back within two days. -If your security issue is accepted, we will do -our best to release a fix within a week. If -fixing the issue will take longer than this, -we will discuss timeline options with you. +You can expect to hear back about security issues within two days. +If your security issue is accepted, we will do our best to release +a fix within a week. If fixing the issue will take longer than +this, we will discuss timeline options with you. -- cgit v1.2.3-60-g2f50